Virtualmin on Ubuntu not picking up newer apache modules (was: Security policy ...)


I’m a bit confused about something.

I have a server running Virtualmin GPL, currently 3.76. Some of the apache2 related modules running on it are:

apache2-doc 2.2.8-11vm

apache2-mpm-prefork 2.2.8-11vm

apache2.2-common 2.2.8-11vm

which come from the Virtualmin repository for Hardy Heron.

Problem is … these modules were installed on the server several months ago and are (relatively) quite old. Normally this is not a problem, except that since the time these modules were installed …

o Apache has had one or two security releases

o Ubuntu Hardy repositories also have had some security releases for Apache.

So the apache* 2.2.8-11vm packages on my server have not been updated since these security vulnerabilities have come out.

I’ve tried updating the package information on my server, but it doesn’t find any newer apache* modules from the Virtualmin repository.

So my question is …

Is it okay to be using these apache* 2.2.8-11vm packages? Am I pulling stuff from incorrect repositories?

Is 2.2.8-11vm the latest version of these packages?

If 2.2.8-11vm is the latest, then these packages are outdated and presumably vulnerable. What is Virtualmin’s policy on security updates from upstream sources?

I hope you can clarify this. Something doesn’t feel quite right.

Thank you.

EDIT: Changing title of post to be more accurate.

Also, if it helps, this is my output from an update. Executing this command didn’t change my situation.

$ sudo apt-get update Hit virtualmin-hardy Release.gpg Ign virtualmin-hardy/main Translation-en_AU Hit hardy-security Release.gpg Ign hardy-security/main Translation-en_AU Ign hardy-security/restricted Translation-en_AU Hit hardy Release.gpg Ign hardy/main Translation-en_AU Ign hardy/restricted Translation-en_AU Hit virtualmin-hardy Release Ign hardy-security/universe Translation-en_AU Ign hardy-security/multiverse Translation-en_AU Hit hardy-security Release Hit virtualmin-hardy/main Packages Ign hardy/universe Translation-en_AU Ign hardy/multiverse Translation-en_AU Hit hardy-updates Release.gpg Ign hardy-updates/main Translation-en_AU Ign hardy-updates/restricted Translation-en_AU Ign hardy-updates/universe Translation-en_AU Ign hardy-updates/multiverse Translation-en_AU Hit hardy Release Hit hardy-security/main Packages Hit hardy-updates Release Hit hardy-security/restricted Packages Hit hardy-security/main Sources Hit hardy-security/restricted Sources Hit hardy-security/universe Packages Hit hardy/main Packages Hit hardy/restricted Packages Hit hardy/main Sources Hit hardy/restricted Sources Hit hardy/universe Packages Hit hardy-security/universe Sources Hit hardy-security/multiverse Packages Hit hardy-security/multiverse Sources Hit hardy/universe Sources Hit hardy/multiverse Packages Hit hardy/multiverse Sources Hit hardy-updates/main Packages Hit hardy-updates/restricted Packages Hit hardy-updates/main Sources Hit hardy-updates/restricted Sources Hit hardy-updates/universe Packages Hit hardy-updates/universe Sources Hit hardy-updates/multiverse Packages Hit hardy-updates/multiverse Sources Reading package lists... Done


You should be seeing version 2.2.8-12vm.ubuntu0.14 for Apache in Virtualmin’s repository.

If you aren’t – well, that’s odd :slight_smile:

I verified that the actual packages are in the repo.

After running the “apt-get update” that you ran above, if you don’t see a newer Apache when running “apt-get upgrade”, it’s possible something’s wrong with the repositories metadata, and I can talk to Joe about that.

In the meantime, while it’s a bit of a pain, you can always manually download the files from in here:


Thank you for your very prompt response.

I’d say there’s likelier to be something wrong with my system setup so let me go have a look at that and report back.

you can always manually download the files from in here:

Thanks, but I’d rather do things the right way because there may be other packages which aren’t picked up.

Which brings me to the following questions (out of curiousity) …

Are there any other Ubuntu packages that you modify for Virtualmin besides apache? Or are they too numerous to list?

How come you had to modify apache (if it’s not too long to answer)?


No luck in trying to get apt-get to pick up the 2.2.8-12vm.ubuntu0.14 versions.

I’ve tried various apt-get cleans and upgrades and installs and it’s just not acknowledging any of the newer versions of the affected packages.

Here, also is the bottom of my /etc/apt/sources.list:

# deb hardy partner # deb-src hardy partner

deb hardy-security main restricted
deb-src hardy-security main restricted
deb hardy-security universe
deb-src hardy-security universe
deb hardy-security multiverse
deb-src hardy-security multiverse
deb virtualmin-hardy main

Can you please get someone to check the repository meta data? Or anything else you can think of that I can check?

Here’s something that may or may not be interesting.

Downloading the file and then doing a grep for applicable version numbers gives:

$ grep '2.2.8-.*vm' Packages | grep Version | sort | uniq Version: 2.2.8-10ubuntu0.6vm Version: 2.2.8-10vm.ubuntu0.15 Version: 2.2.8-11vm

The latest version that appears in the Packages file is 2.2.8-11vm. The version string 2.2.8-12vm.ubuntu0.14 does not appear at all.


Are there any other Ubuntu packages that you modify for Virtualmin besides apache? Or are they too numerous to list?

You can see a list of all the custom modified software by browsing the Virtualmin Ubuntu repository:


I’ve added a request for this here
The .deb packages are in the repo, from what I know the “Packages*” files needs to be recreated.